{
  "variant_id": "pruva-cve-2026-58126-negative-service-host-check",
  "created_at": "2026-07-05T00:00:00Z",
  "variant_summary": "No distinct bypass or alternate-trigger variant was confirmed. Static review found that PGImageExchangeQueueSvc.exe can instantiate the same PGImageExchQueue.ExchangeForm that registers tcp://<host>:22222/PGImageExchange, but this is the same endpoint/sink and the Wine service-start harness did not runtime-confirm a separate service-hosted trigger. No public fixed PACS Scan build was available for bypass testing.",
  "relation": "newer_version_sibling",
  "origin_kind": "pruva_variant",
  "repository": "Hyland/PACSgear PACS Scan closed-source vendor package",
  "submitted_target": {
    "target_kind": "vendor_binary",
    "version": "5.2.1",
    "ref": "https://download.pacsgear.com/download/PacsSCAN5.2.1.zip",
    "display": "PACSgear PACS Scan 5.2.1 vendor installer; PGImageExchQueue.exe sha256 853e7ea4ac56cc85df9a21a81c993a36ac3bff803e35b7ba3aa7c1438a28525c"
  },
  "variant_target": {
    "target_kind": "vendor_binary_and_newer_package_probe",
    "version": "5.2.1 service-host candidate; newer package probes 5.3, 5.3.1, 5.3.3",
    "ref": "https://download.pacsgear.com/download/PacsSCAN5.3.3.zip",
    "display": "Negative variant target: service-hosted startup candidate in 5.2.1 plus latest package probe; no confirmed fixed-build bypass"
  },
  "same_root_cause_confidence": "high_for_service_candidate",
  "same_surface_confidence": "high",
  "claimed_surface": "api_remote",
  "validated_surface": "none_new_variant",
  "required_entrypoint_kind": "api_remote",
  "required_entrypoint_detail": "Parent endpoint tcp://127.0.0.1:22222/PGImageExchange; candidate service-hosted path PGImageExchangeQueueSvc.exe -> Service1.OnStart -> Service1.Start -> new PGImageExchQueue.ExchangeForm -> same PGImageExchange registration",
  "attacker_controlled_input": "Unauthenticated .NET Remoting messages to PGImageExchange in the parent path; no distinct new attacker-controlled input was validated",
  "trigger_path": "PGImageExchQueue.ExchangeForm creates TcpChannel and registers CRemote as PGImageExchange; service executable statically reaches same ExchangeForm but runtime candidate not confirmed",
  "observed_impact_class": "none_new_variant",
  "exploitability_confidence": "not_confirmed_for_variant",
  "evidence_scope": "static_analysis_plus_runtime_attempt_plus_latest_probe",
  "runtime_manifest_present": true,
  "end_to_end_target_reached": false,
  "inferred": false,
  "claim_block_reason": "Only the same remoting endpoint/sink was identified; no materially distinct entry point or patched-version bypass was confirmed. No public fixed build was available for CVE-specific bypass testing.",
  "blocking_mitigation": "A complete fix must patch or remove the central PGImageExchQueue.ExchangeForm remoting registration across both direct executable and service-hosted startup modes.",
  "file_path": "PGImageExchQueue.exe IL: PGImageExchQueue.ExchangeForm startup remoting registration",
  "line_start": 16408,
  "line_end": 16494,
  "secondary_anchors": [
    {
      "file_path": "PGImageExchangeQueueSvc.exe IL: PGImageExchangeQueueSvc.Service1.Start creates PGImageExchQueue.ExchangeForm",
      "line_start": 215,
      "line_end": 250
    },
    {
      "file_path": "PGImageExchangeQueueSvc.exe IL: PGImageExchangeQueueSvc.Service1.OnStart starts Service1.Start thread",
      "line_start": 266,
      "line_end": 285
    }
  ],
  "review_scope_paths": [
    "bundle/logs/vuln_variant/PGImageExchQueue.variant.il",
    "bundle/logs/vuln_variant/PGImageExchangeQueueSvc.variant.il",
    "bundle/logs/vuln_variant/product_remoting_surface_scan.log",
    "bundle/logs/vuln_variant/fixed_latest_check.log",
    "bundle/logs/vuln_variant/latest_version.txt"
  ],
  "artifact_refs": {
    "variant_manifest": "bundle/vuln_variant/variant_manifest.json",
    "validation_verdict": "bundle/vuln_variant/validation_verdict.json",
    "runtime_manifest": "bundle/vuln_variant/runtime_manifest.json",
    "repro_log": "bundle/logs/vuln_variant/reproduction_steps.log",
    "root_cause_equivalence": "bundle/vuln_variant/root_cause_equivalence.json",
    "reproducer": [
      "bundle/vuln_variant/reproduction_steps.sh"
    ]
  }
}
